Slashdot Mirror

← Back to Stories (view on slashdot.org)

BBC Hijacks 22,000 PCs In Botnet Demonstration

Posted by CmdrTaco on from the yeah-demo-that-please-sure dept.

An anonymous reader writes "'[The BBC] managed to acquire its own low-value botnet — the name given to a network of hijacked computers — after visiting chatrooms on the internet. The programme did not access any personal information on the infected PCs. If this exercise had been done with criminal intent it would be breaking the law. But our purpose was to demonstrate botnets' collective power when in the hands of criminals.' The BBC performed a controlled DDoS attack, 'then ordered its slave PCs to bombard its target site with requests for access to make it inaccessible.'"

20 of 457 comments (clear)

  1. why use botnet by fredan · · Score: 5, Funny

    when you can use slashdot!

    1. Re:why use botnet by Spazztastic · · Score: 5, Funny

      when you can use slashdot!

      Well, a botnet is probably faster. By the time your article gets through the submission queue the target would probably have gone offline along with the sun burning out.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:why use botnet by Opportunist · · Score: 5, Funny

      The botnet is not stronger. But it is quicker. Easier. More seductive.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:why use botnet by N1AK · · Score: 5, Interesting

      I wrote about this story on my site and submitted it to The Reg at 10:20 this morning when I read the story on their website. Now its been aired on TV it seems to be getting a lot of coverage. I added an update a few minutes ago covering the two areas of the Computer Misuse Act that are likely to be quoted quite a bit in the debate about the legality.

      I find it amazing that something this dubious was allowed to get all the way to airing without someone at the BBC having a hissy fit. Perhaps they have received legal advice that said it was legit?

      As an aside, if I had wanted to submit my page to Slashdot is there a way I could of done it that (assuming it got published) wouldn't result in my host wishing a painful death upon me? I didn't change it partly because it's a short write up and partly for that reason.

    4. Re:why use botnet by Piranhaa · · Score: 5, Funny

      This demonstration never really took place. They made up a bogus story that will get Slashdot to DoS the site for them.

    5. Re:why use botnet by MatB · · Score: 5, Informative

      I suppose that the BBC views themselves as a branch of the British government.

      Hah! You jest, surely?

      Yes, I know that it is supposedly an "independent" organization,

      It is

      but it is fully-funded by taxpayers in the UK.

      Incorrect.

      The BBC is funded by a licence fee that all TV set owners pay, it's raised independently of the government and is specifically not a tax, the money never goes anywhere close to the Treasury. Many people chose not to have a TV and thus don't need to pay the license (I was one of these people for about 3 years, I had dial-up and a DVD collection, what'd I need a TV for?)

      It also gets money from overseas sales and a semi-independent part dedicated to overseas broadcasts is funded by the Foreign Office in the same way as Radio America and similar.

      I suspect the BBC has broken the law. I suspect they'll get investigated. I think that, regardless, they did the right thing--most people have no idea what a botnet is, let alone how much damage they do. Anything that raises awareness amongst domestic users in an open and transparent way is good. Those that had their PCs hijacked mught do well to upgrade their security (again).

      --
      Mat Bowles
  2. Breaking the law by qoncept · · Score: 5, Interesting

    If this exercise had been done with criminal intent it would be breaking the law.

    Ok, so, I don't know much about the laws, but it is illegal, isn't it?

    --
    Whale
    1. Re:Breaking the law by jeffmeden · · Score: 5, Funny

      Don't worry, it was a "low value" botnet... That makes it OK.

    2. Re:Breaking the law by Dr+Caleb · · Score: 5, Funny

      It's an electrically charged net that we use to catch runaway robots. Like the Ethernet we use to catch the EtherBunny.

      --
      "History doesn't repeat itself, but it does rhyme." Mark Twain
    3. Re:Breaking the law by Opportunist · · Score: 5, Insightful

      It's ok to tell him to get the f.. out. But most people, to return the analogy to the PC, don't even care that someone is standing there, in the middle of their living room, making unsolicited phone calls from your landline, telling everyone about your tv watching habits or even stuffing your jacket pockets with leaflets. As long as they don't trash the place, most people don't care that someone is standing there, coming and going as they please, leaving the window open for any burglar that wants to come in.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    4. Re:Breaking the law by Gryften · · Score: 5, Funny

      The EtherBunny is the one that runs around anaesthetizing kids to commemorate the ressurection of Jesus, right?

    5. Re:Breaking the law by debrain · · Score: 5, Informative

      Regardless of intent it is illegal. They are gaining unauthorized access to someones PC and using it for their own personal gain. If I were to demonstrate how to crack someones WEP key in 5 minutes without the victim's explicit written permission it would be illegal, even if done just for "educational purposes." Sure, it's edgy reporting, but it is still highly illegal.

      Why do you say that? These statements have no legal meaning or merit.

      I'm not overly familiar with British criminal law, per se, but I am handy in the commonwealth legal principles (having studied law in three commonwealth countries, and being a lawyer in a commonwealth country and New York state), and while anyone would need legal advice specific to their jurisdiction (i.e. none of what I'm saying is legal advice), I can say with reasonable confidence that this act of the BBC would be criminal in only two scenarios:

      1. There was mens rea, or the guilty mind, component of a criminal act; or

      2. The BBC committed a crime where mens rea is not required (viz. a crime of strict or absolutely liability).

      As the guilty mind seems to be lacking on these facts, only crimes of strict liability may be laid against the BBC. As I don't know of any strict liability crime arising from these facts, I surmise that they have not broken one, but I stand to be corrected.

      It may be a civil wrong that is a species of trespass, or that violates some statute specific to computers and/or the internet, but in the absence of provable damages by someone affected (i.e. the botnet computer owners or the DoS'd computer), there is no cause of action that would give rise to a lawsuit. The botnet owners don't know they are on a botnet, so their damages are negligible -- if anything I would argue they benefit from being taken over by the BBC as opposed to someone with actual malicious intent. The DoS'd machine is presumably one owned by the BBC.

      Even if found to be guilty of civil or criminal wrongdoing, the BBC may have a complete defence because their act was taken as part of a protected form of investigative journalism or alternatively because they are acting as a good Samaritan in the public interest. They seem to be acting with the interest of exposing to the public and documenting a very important situation on the internet. Their investigative journalism is good for the public and the owners of the botnet who may thus become aware of their participation in this grand malicious scheme. In addition to these defences, it would be bad public policy to stifle such valuable investigative journalism.

      In any case I'm confident that the lawyers for the BBC have given this due consideration. That a large, sophisticated corporation actually did this for the purpose of publication, and then did publish it, strongly suggests that it is not illegal.

      In the United States your mileage may vary (i.e. taking control of a botnet even with good intentions may be illegal). There are a large number of laws that are driven by commercial interest groups, which laws give rise to "criminality" in spite of the public's interests to the contrary. Thankfully most of the world, including the BBC, isn't generally subject to these laws.

      Please don't mislead people with sensationalistic statements like "highly illegal", without at least providing some modicum of support for these otherwise bald assertions. What criminal law do you think the BBC broke? Your post appears wholly incorrect, unsupported and misleading. It distracts from the real issues at hand, wastes readers' time, and is disrespectful to those who value facts and truth. Please consider taking the time to research your assertions before posting to a public forum like this. Thank you.

  3. It gets better by blowdart · · Score: 5, Insightful

    Controlling machines without permission? Against the computer misuse act.

    They used the botnet to spam two email accounts, one at gmail and one at hotmail. That's against the computer misuse act.

    And they changed the wallpaper on the machines on the botnet. Against the computer misuse act.

    Their "justification" doesn't fly; not having criminal intent is not a defence against the law.

  4. Not against the law??? by RingDev · · Score: 5, Insightful

    If this exercise had been done with criminal intent it would be breaking the law.

    So if I install software on your machine that you paid for, consume the bandwidth that you are paying for, burn extra electricity that is paid for by you, all with out ever even letting you know about it, so long as I'm doing it for finding a cure for cancer, it's perfectly legal?

    What if I use that bot net to distribute the load of rendering animated gaping anal gay midget porn movies? It's not a crime to render animated gaping anal gay midget porn movies, so I have no criminal intent, so it must be legal, right?

    -Rick

    --
    "Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
  5. Agreed. Mod parent up. by mmell · · Score: 5, Insightful

    I've been on the bad side of this one - a lack of criminal intent does not mitigate or extenuate criminal action. Their guilt is quite plain (having been admitted, even published by the BBC itself). Now, their lack of criminal intent does have a bearing on sentencing. Inasmuch as the BBC did not wilfully cause damage or fiscal loss to anybody (except, potentially, themselves?), the sentence should be something on the light side, perhaps even suspended; but the matter of their guilt is simple black-letter law.

  6. Re:Now this... by sopssa · · Score: 5, Informative

    Accessing and modifying data on other peoples computers is illegal. Better article written by a known security researcher Dancho Danchev, who also thinks it was controversial and illegal act.

    Even if your intentions are good, I DO NOT WANT you using my computer or making changes to it without my permissions.

  7. Don't focus on the legality by Reality+Master+201 · · Score: 5, Insightful

    Everyone's going on about how it's actually illegal and the intent doesn't matter (I don't know either way - it is Britain and maybe things work differently there).

    What about the fact that some guys from the BBC were able to gain control of 20k infected machines on the web just for the purposes of doing a story? To me, the implications of that are far worse than any possible criminality.

  8. Skewed views of the law by grayn0de · · Score: 5, Interesting

    Way to go, BBC. You have moved past bringing the populace breaking news stories to creating them! I am looking forward to the next headline, regarding this. I think we all agree that gaining unauthorized access to another computer is, not only unethical, but illegal. I am surprised, being that this article is on slashdot, now, that the BBC is not already feeling the ramifications of its actions. I highly doubt they asked everyone in those chat rooms: "Hi, we are from the BBC, we would like to pwn your computer in the name of exposing cyber security risks. Is this okay, with you? Great, Thanks!"

  9. Re:Now this... by sakdoctor · · Score: 5, Insightful

    Then get some security.

    No unlocked car or house door analogy is even slightly useful in this case.

    Computer security by law is worse than security by obscurity, or security by Symantec product.

  10. Unbelievable by ppentz · · Score: 5, Insightful

    Ugh, I can't stand the attitude here. Botnets are a HUGE problem. People need to know if their PCs are hijacked and they need to be fixed. If my PC is hijacked, I want to know about it. Now. When someone's PC is used in a DDOS attack, isn't that illegal activity? I've always heard that ignorance of the law is not an excuse, so if someone is not aware their PC is being used illegally, their PC is still being used for illegal purposes ... should they be held accountable? If there is an activity that is *questionably* legal but can potentially help with the Botnet problem, I'm all for it.